lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Dec 21 13:45:51 2005
From: j.schipper at math.uu.nl (Joachim Schipper)
Subject: Ioncube Encoded PHP Files

On Thu, Dec 22, 2005 at 12:04:17AM +1100, mz4ph0d@...il.com wrote:
> On 12/21/05, Joachim Schipper <j.schipper@...h.uu.nl> wrote:
> > Pretty much any source code encoding scheme can be defeated, given
> > enough work. The point is in making sure that it is too much work to do
> > so.
> >
> > Though I wonder what the point is - it's not likely to be all that hard
> > to run the code on another system. The main point seems to be to prevent
> > administrators from making local changes, and I must admit to not seeing
> > a problem with people who have bought the software doing that.
> 
> 
> Agreed, but in this case the application is for a security purpose
> rather than change or server control. Looking for a secure way to
> include an AES password in a PHP script for use with AES_ENCRYPT() in
> MySQL without that password being viewable even if the source of the
> page is compromised. Ioncube seems to fit the bill, but wanted to
> enquire about whether or not that's the case.

If the application you are using gets a password, hashes it, and
compares it against the hash of the password you want to see, why not
just store the second hash? That will do everything you want.

Could you elaborate on what you want to do, exactly? The above, of
course, is only useful if the hash does not grant equivalent priviliges
as the password.

And I don't know about you, but I'd rather rely on restrictive
permissions in the database, the irreversibility of hashes, or somesuch
(more-or-less) known-good method.
(Consider, for instance, what happens when an attacker grabs the source
code, and runs it in a controlled environment - it doesn't take too much
effort to find out it uses MySQL, and it is not likely very difficult to
get the app to spew the password at your very own MySQL server with some
extra logging features.)

		Joachim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ